Last Updated: 2026-03-29 Runtime Baseline: net10.0
Sentinel is a modular security platform focused on high-assurance API protection and standards-aligned identity flows. The architecture separates security contracts, protocol engines, integration adapters, and host-specific API wiring.
Core properties:
- Sender-constrained access via DPoP (RFC 9449)
- Replay resistance for access tokens and DPoP proofs
- Session invalidation and revocation propagation
- Rich authorization constraints (RAR-style payload checks)
- Shared security event ingestion (SSF/SET)
- Minimal API host integration via explicit endpoint mapping
- Sentinel.Security.Abstractions
- Cross-module interfaces and contracts (caches, validators, options, result types)
- Sentinel.Domain
- Domain entities, value objects, and invariants
- Sentinel.Application
- Application-level orchestration and cross-domain use cases
- Sentinel.DPoP
- DPoP validation engine and thumbprint computation
- Sentinel.Session
- Session lifecycle and revocation logic
- Sentinel.SSF
- Security event token processing and revocation side-effects
- Sentinel.SdJwt
- Selective disclosure validation components
- Sentinel.Rar
- Authorization details extraction and rule validation
- Sentinel.Security.Diagnostics
- Canonical telemetry and security diagnostics primitives
- Sentinel.Redis
- Replay, nonce, and blacklist cache adapters
- Sentinel.Keycloak
- Keycloak protocol integration and admin/token services
- Sentinel.EntityFrameworkCore
- EF-backed security state implementations
- Sentinel.Infrastructure
- Composition and operational services (DI, auth services, crypto, notifications)
- Sentinel.AspNetCore
- Minimal API endpoint mapping extensions
- Filters/middleware for idempotency and ACR step-up
- Endpoint groups: auth, token exchange, SSF, backchannel logout
- samples/Sentinel.Sample.MinimalApi
- Demonstrates framework endpoint mapping and business endpoint hardening
- Shows encryption-at-rest, idempotency, ACR step-up, and RAR guardrail patterns
For protected routes in a host using Sentinel.AspNetCore:
- Transport and host middleware execute (HTTPS, exception handling, auth/authorization middleware).
- Authentication validates token envelope and principal.
- DPoP checks bind proof to method/URL/time/JKT context.
- Endpoint filters enforce route-specific policies:
- RequireIdempotency()
- RequireAcrStepUp(...)
- custom domain filters (e.g., RAR bounds checks)
- Business handler executes only after policy and protocol checks pass.
- Response emits typed success or RFC7807 problem details.
Sentinel core endpoints are mounted by host choice:
app.MapSentinelSecurity("api/system/security");Mapped groups include:
- /auth/*
- /ssf/events
- /auth/token-exchange
- /auth/backchannel-logout
This enables:
- host-controlled versioning and namespace boundaries
- predictable integration in multi-service APIs
- no hard-coded global route ownership by framework internals
- Proof validation checks typ/alg/htm/htu/iat and JWK thumbprint semantics
- Proof JTI replay is stateful and fail-closed when backing stores are unavailable
- Nonce challenge flow uses 401 + WWW-Authenticate + DPoP-Nonce
- Session blacklist is used for local revocation enforcement
- Auth logout and SSF events converge on session invalidation behavior
- ACR step-up support for high-assurance operations
- Route-level idempotency requirements for state-changing operations
- Domain-level payload-bound validation (RAR-style) for finance transfer safety
- Telemetry and event emission are centralized in Sentinel.Security.Diagnostics
- Canonical IP context hashing uses HMAC-based pseudonymization for privacy hardening
- Abstractions-first composition
- Module contracts are defined in Sentinel.Security.Abstractions to avoid adapter lock-in.
- Fail-closed for security-critical state dependencies
- Replay and blacklist dependency failures are treated as security failures, not permissive bypasses.
- Endpoint filter-based policy composition
- High-risk checks are explicit per route; avoids opaque global behavior.
- Host-controlled routing
- Framework endpoints are namespaced by host, supporting phased migrations.
- Diagnostics centralization
- Security telemetry primitives are not duplicated across adapters.
Trust boundaries:
- Client to API host
- API host to cache/state stores
- API host to identity provider metadata/JWKS
- API host to security event senders (SSF)
Operationally sensitive dependencies:
- Redis/cache state for replay/nonce/session protections
- IdP discovery/JWKS availability
- Accurate service time for bounded token/proof validity logic
- Container packaging is currently not fully production-ready in this repository because an active application Dockerfile is not present (see CONTAINER_BUILD_READINESS.md).
- Sample and framework endpoint OpenAPI contracts are maintained manually and require release-time updates.
Any change in these areas requires architecture + compliance + threat model updates in the same pull request:
- auth pipeline order or semantics
- endpoint path contracts
- replay/nonce/session storage behavior
- DPoP, SSF, or RAR validation rules
- error behavior for fail-closed conditions